{"id":119,"date":"2022-04-12T03:02:01","date_gmt":"2022-04-12T03:02:01","guid":{"rendered":"http:\/\/tcm.gov.to\/?page_id=119"},"modified":"2022-04-29T01:54:25","modified_gmt":"2022-04-29T01:54:25","slug":"supplier-relationships","status":"publish","type":"page","link":"https:\/\/tcm.gov.to\/?page_id=119","title":{"rendered":"Supplier Relationships"},"content":{"rendered":"<div id=\"themify_builder_content-119\" data-postid=\"119\" class=\"themify_builder_content themify_builder_content-119 themify_builder\">\n    \t<!-- module_row -->\n\t<div  class=\"themify_builder_row module_row clearfix module_row_0 themify_builder_119_row module_row_119-0 tb_ed5e873\">\n\t    \t    <div class=\"row_inner col_align_top\" >\n\t\t\t<div  class=\"module_column tb-column col3-1 first tb_119_column module_column_0 module_column_119-0-0 tb_i7xd874\" style=\"width: 17%\" >\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_wet7985    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-1\"><b>10. Supplier relationships<\/b>\u00a0\u00a0<\/h4>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 middle tb_119_column module_column_1 module_column_119-0-1 tb_7qun874\" style=\"width: 22%\" >\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_g8ow360    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-2\"><b>10.1 Information security in supplier relationships<\/b><\/h4>\n<p class=\"u-text u-text-3\">Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers.<\/p>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4 class=\"u-text u-text-body-color u-text-1\"><b>10.2 Supplier service delivery management<\/b><\/h4>\n<p class=\"u-text u-text-2\">Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.<\/p>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 last tb_119_column module_column_2 module_column_119-0-2 tb_w2j5874\" style=\"width: 54.6%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_p0sp578    \">\n            <div  class=\"tb_text_wrap\">\n    <section id=\"sec-54d8\" class=\"u-clearfix u-section-1\">\n<div class=\"u-clearfix u-sheet u-sheet-1\">\n<div class=\"u-clearfix u-expanded-width u-gutter-0 u-layout-wrap u-layout-wrap-1\">\n<div class=\"u-layout\">\n<div class=\"u-layout-row\">\n<div class=\"u-container-style u-layout-cell u-right-cell u-size-38 u-layout-cell-3\">\n<div class=\"u-container-layout u-valign-bottom u-container-layout-3\">\n<h4 class=\"u-text u-text-4\"><b>10.1.1 Information security policy for supplier relationships<\/b>\u00a0\u00a0<\/h4>\n<p class=\"u-text u-text-palette-1-base u-text-5\"><strong><em>Information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets should be agreed with the supplier and documented.<\/em><\/strong><\/p>\n<ul class=\"u-text u-text-6\">\n<li>Indentify information security controls in relevant processess and procedures to address supplier access to the organization\u2019s information. For example, if there is a special need for confidentiality of the information, non-disclosure agreements can be used. Another example is data protection risks when the supplier agreement involves transfer of, or access to, information across borders.\u00a0<\/li>\n<li>Create a standardised process and lifecycle for managing supplier relationships, inclulding:<br \/>a) identify and document the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;<br \/>b) define the types of information access that different types of suppliers will be allowed, and monitor and control the access;<br \/>c) define minimum information security requirements for each type of information and type of access and obligations of suppliers to protect the organization\u2019s information;<br \/>d) monitor adherence to established information security requirements for each type of supplier and type of access;\u00a0<br \/>e) define the procedure of handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;<br \/>f) define recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;<br \/>j) address awareness training for the organization\u2019s personnel interacting with supplier personnel.<\/li>\n<\/ul>\n<p class=\"u-text u-text-7\">See also:\u00a0<\/p>\n<ul class=\"u-text u-text-8\">\n<li><span class=\"u-text-palette-1-base\">NIST, Best Practices in Cyber Supply Chain Risk Management,\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-1\" href=\"https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Supply-Chain-Risk-Management\/documents\/briefings\/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf\">https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Supply-Chain-Risk-Management\/documents\/briefings\/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf<\/a><br \/><\/span><\/li>\n<li><span class=\"u-text-palette-1-base\">UK National Cybersecurity Centre, Supply chain security guidance,\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-2\" href=\"https:\/\/www.ncsc.gov.uk\/collection\/supply-chain-security\">https:\/\/www.ncsc.gov.uk\/collection\/supply-chain-security<\/a><\/span><\/li>\n<\/ul>\n<h4 class=\"u-text u-text-9\"><b><\/b><b>10.1.2 Addressing security within supplier agreements<\/b>\u00a0<\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.\u00a0 \u00a0<\/span><\/em><\/strong><\/p>\n<p class=\"u-text u-text-10\">Establish and document supplier agreements to avoid misunderstanding between the organization and the supplier regarding both parties\u2019 obligations.\u00a0<\/p>\n<p>Develop the agreements with suppliers and include:<br \/>a) description of the information to be provided or accessed, sensitivity of information (classification) and methods of providing or accessing the information;<br \/>b) legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured;<br \/>c) obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;<br \/>d) list of supplier personnel authorized to access or receive the organization\u2019s information or procedures or conditions for authorization;<br \/>e) incident management requirements and procedures (especially notification and collaboration during incident remediation);<br \/>f) training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;<br \/>g) relevant regulations for sub-contracting, including the controls that need to be implemented;<br \/>h) supplier\u2019s obligations to comply with the organization\u2019s security requirements and relevant agreement partners, including a contact person for information security issues;<br \/>i) screening requirements, if any, for supplier\u2019s personnel;<br \/>j) right to audit the supplier processes and controls related to the agreement;<br \/>k) conflict and defect resolution processes.\u00a0<\/p>\n<p>Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. Organizations can influence ICT technology supply chain, including cloud computing services, security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n<section id=\"carousel_c8e5\" class=\"u-clearfix u-section-2\">\n<div class=\"u-clearfix u-sheet u-sheet-1\">\n<div class=\"u-clearfix u-expanded-width u-gutter-0 u-layout-wrap u-layout-wrap-1\">\n<div class=\"u-layout\">\n<div class=\"u-layout-row\">\n<div class=\"u-container-style u-layout-cell u-left-cell u-size-11 u-layout-cell-1\">\n<div class=\"u-container-layout u-container-layout-1\">\u00a0<\/div>\n<\/div>\n<div class=\"u-container-style u-layout-cell u-right-cell u-size-38 u-layout-cell-3\">\n<div class=\"u-container-layout u-valign-bottom u-container-layout-3\">\n<h4 class=\"u-text u-text-3\"><b>10.2.1 Monitoring and review of supplier services<\/b><\/h4>\n<p class=\"u-text u-text-palette-1-base u-text-4\"><strong><em>Organizations should regularly monitor, review and audit supplier service delivery.<\/em><\/strong><i><\/i><\/p>\n<ul class=\"u-text u-text-5\">\n<li>Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly.\u00a0<\/li>\n<li>Monitor supplier service performance levels to verify adherence to the agreements. Review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered.<\/li>\n<li>Review service reports produced by the supplier and arrange regular progress meetings.\u00a0<\/li>\n<li>Conduct audits of suppliers or, if available, review independent auditor\u2019s reports, and follow-up on issues identified.\u00a0<\/li>\n<li>Provide information about information security incidents and review this information.<\/li>\n<li>Designate an individual or service management team for managing supplier relationships and provide sufficient technical skills and resources to monitor that the requirements of the supplier agreements are being met.\u00a0<\/li>\n<\/ul>\n<h4 class=\"u-text u-text-6\"><b>10.2.2 Managing changes to supplier services<\/b>\u00a0\u00a0\u00a0<\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">Changes to the provision of services by suppliers, including changes in policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.<\/span><\/em><\/strong><\/p>\n<p class=\"u-text u-text-7\">Organization changes its policies, procedures and security controls<i>,<\/i>\u00a0that have impact on supplier services agreements. Changes may include:\u00a0<br \/>a) use of new technologies and development of any new applications and systems, including new development tools and environments;\u00a0<br \/>b) modifications or updates of the organization\u2019s policies and procedures;\u00a0<br \/>c) new or changed security controls;\u00a0<br \/>d) changes and enhancement to networks;\u00a0<br \/>e) changes to physical location of service facilities;\u00a0<br \/>f) change of suppliers;\u00a0<br \/>g) sub-contracting to another supplier.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t    <\/div>\n\t    <!-- \/row_inner -->\n\t<\/div>\n\t<!-- \/module_row -->\n\t<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"<p>10. Supplier relationships\u00a0\u00a0 10.1 Information security in supplier relationships Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-119","page","type-page","status-publish","hentry","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"builder_content":"<h4><b>10. Supplier relationships<\/b>\u00a0\u00a0<\/h4>\n<h4><b>10.1 Information security in supplier relationships<\/b><\/h4> <p>Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers.<\/p> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4><b>10.2 Supplier service delivery management<\/b><\/h4> <p>Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.<\/p>\n<section id=\"sec-54d8\">\n<h4><b>10.1.1 Information security policy for supplier relationships<\/b>\u00a0\u00a0<\/h4> <p><strong><em>Information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets should be agreed with the supplier and documented.<\/em><\/strong><\/p> <ul> <li>Indentify information security controls in relevant processess and procedures to address supplier access to the organization\u2019s information. For example, if there is a special need for confidentiality of the information, non-disclosure agreements can be used. Another example is data protection risks when the supplier agreement involves transfer of, or access to, information across borders.\u00a0<\/li> <li>Create a standardised process and lifecycle for managing supplier relationships, inclulding:<br \/>a) identify and document the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;<br \/>b) define the types of information access that different types of suppliers will be allowed, and monitor and control the access;<br \/>c) define minimum information security requirements for each type of information and type of access and obligations of suppliers to protect the organization\u2019s information;<br \/>d) monitor adherence to established information security requirements for each type of supplier and type of access;\u00a0<br \/>e) define the procedure of handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;<br \/>f) define recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;<br \/>j) address awareness training for the organization\u2019s personnel interacting with supplier personnel.<\/li> <\/ul> <p>See also:\u00a0<\/p> <ul> <li>NIST, Best Practices in Cyber Supply Chain Risk Management,\u00a0<a href=\"https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Supply-Chain-Risk-Management\/documents\/briefings\/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf\">https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Supply-Chain-Risk-Management\/documents\/briefings\/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf<\/a><br \/><\/li> <li>UK National Cybersecurity Centre, Supply chain security guidance,\u00a0<a href=\"https:\/\/www.ncsc.gov.uk\/collection\/supply-chain-security\">https:\/\/www.ncsc.gov.uk\/collection\/supply-chain-security<\/a><\/li> <\/ul> <h4><b><\/b><b>10.1.2 Addressing security within supplier agreements<\/b>\u00a0<\/h4> <p><strong><em>All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.\u00a0 \u00a0<\/em><\/strong><\/p> <p>Establish and document supplier agreements to avoid misunderstanding between the organization and the supplier regarding both parties\u2019 obligations.\u00a0<\/p> <p>Develop the agreements with suppliers and include:<br \/>a) description of the information to be provided or accessed, sensitivity of information (classification) and methods of providing or accessing the information;<br \/>b) legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured;<br \/>c) obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;<br \/>d) list of supplier personnel authorized to access or receive the organization\u2019s information or procedures or conditions for authorization;<br \/>e) incident management requirements and procedures (especially notification and collaboration during incident remediation);<br \/>f) training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;<br \/>g) relevant regulations for sub-contracting, including the controls that need to be implemented;<br \/>h) supplier\u2019s obligations to comply with the organization\u2019s security requirements and relevant agreement partners, including a contact person for information security issues;<br \/>i) screening requirements, if any, for supplier\u2019s personnel;<br \/>j) right to audit the supplier processes and controls related to the agreement;<br \/>k) conflict and defect resolution processes.\u00a0<\/p> <p>Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. Organizations can influence ICT technology supply chain, including cloud computing services, security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.<\/p>\n<\/section> <section id=\"carousel_c8e5\">\n\u00a0\n<h4><b>10.2.1 Monitoring and review of supplier services<\/b><\/h4> <p><strong><em>Organizations should regularly monitor, review and audit supplier service delivery.<\/em><\/strong><i><\/i><\/p> <ul> <li>Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly.\u00a0<\/li> <li>Monitor supplier service performance levels to verify adherence to the agreements. Review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered.<\/li> <li>Review service reports produced by the supplier and arrange regular progress meetings.\u00a0<\/li> <li>Conduct audits of suppliers or, if available, review independent auditor\u2019s reports, and follow-up on issues identified.\u00a0<\/li> <li>Provide information about information security incidents and review this information.<\/li> <li>Designate an individual or service management team for managing supplier relationships and provide sufficient technical skills and resources to monitor that the requirements of the supplier agreements are being met.\u00a0<\/li> <\/ul> <h4><b>10.2.2 Managing changes to supplier services<\/b>\u00a0\u00a0\u00a0<\/h4> <p><strong><em>Changes to the provision of services by suppliers, including changes in policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.<\/em><\/strong><\/p> <p>Organization changes its policies, procedures and security controls<i>,<\/i>\u00a0that have impact on supplier services agreements. Changes may include:\u00a0<br \/>a) use of new technologies and development of any new applications and systems, including new development tools and environments;\u00a0<br \/>b) modifications or updates of the organization\u2019s policies and procedures;\u00a0<br \/>c) new or changed security controls;\u00a0<br \/>d) changes and enhancement to networks;\u00a0<br \/>e) changes to physical location of service facilities;\u00a0<br \/>f) change of suppliers;\u00a0<br \/>g) sub-contracting to another supplier.<\/p>\n<\/section>","_links":{"self":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=119"}],"version-history":[{"count":8,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}